In this article, we’ll look at DNS(new window) security, what it means for your businesses, and how using Proton VPN provides your business with the DNS security(new window) it needs.
The Domain Name System (DNS) translates human-friendly domain names to numeric IP addresses(new window) that computers use to identify websites and other internet resources. It therefore plays a vital role in how we all use the internet, including for work.
Unfortunately, DNS was invented in 1983, long before the need for online security was ever considered. By default, DNS requests are sent in plaintext for anyone to see, and are easily hijacked to redirect to malicious domains. This situation is dangerous enough for individual internet users, but is potentially catastrophic in a business context.
- What is DNS?
- DNS and privacy for businesses
- DNS and security for businesses
- DNS security solutions
- How Proton VPN can protect your business’s DNS
- Final thoughts: The importance of DNS protection for businesses
What is DNS?
Computers identify every device that connects directly to the internet with a unique numerical IP address. The older IPv4 system uses eight-digit addresses (such as 185.159.159.140), but these are running out, so the newer IPv6 standard uses a hexadecimal system (containing both digits and letters) that can be up to 45 characters long (such as 2001:db8::8a2e:370:7334).
This is great for computers, but not for humans, who are far better at remembering letter-based addresses (domain names) that make sense to us (such protonvpn.com). DNS allows humans to enter domain names that we understand and maps them to numerical addresses that computers understand. In essence, it behaves like a phone book that cross-references domain names and IP addresses.
When you enter a domain name (for example, into a browser search bar), a DNS query is sent to a DNS server which resolves the query. That is, it translates the domain name to its corresponding IP address.
Learn more about how DNS works (new window)
DNS and privacy for businesses
DNS is useful but creates a big security problem: Anyone with access to your company’s DNS queries effectively knows its entire browsing history, including that of all staff members who use an office network to connect to the internet.
DNS and your company’s ISP
By default, DNS queries are resolved by your internet service provider(new window) (ISP). Unfortunately, ISPs are not in the business of protecting individuals’ or businesses’ privacy. Most government mass spying programs rely on requiring ISPs to keep logs of their customers’ browsing histories. And, because it is easy and cheap, most ISPs meet these legal obligations by only keeping DNS logs.
In some counties (such as the United States), ISPs are even permitted to use or sell customers’ DNS records(new window) for advertising and analytics purposes.
DNS and corporate surveillance
Most DNS queries are sent to the DNS server in plaintext, meaning any entity that can intercept them will know your entire company’s browsing history. This includes your company’s contacts, business associates, suppliers, customers, government, health, and safety regulation bodies it interacts with, and much more.
All of this data is potentially highly valuable information to competitors.
DNS and security for businesses
In addition to passively snooping on your business’s browsing history, hackers can exploit DNS to perform a variety of active attacks. Many of these target the DNS server itself (typically various forms of denial-of-service attack(new window) aimed at overloading the server), but unless your company runs its own DNS servers (and some do), such attacks are unlikely to be a threat to your business.
DNS-based attacks that can be a threat to most businesses include:
DNS spoofing
To speed up the lookup process and reduce the load on DNS servers, frequent queries are often stored (cached) locally on the DNS server. To perform a DNS spoofing attack (also so known as DNS poisoning), an attacker inserts false DNS records into the DNS servers cache.
This can be done by using a man-in-the-middle attack(new window) (intercepting the query between the user’s device and the DNS server) or via cache poisoning(new window) (exploiting vulnerabilities in the DNS server software to inject malicious entries into its cache).
Once the DNS cache is poisoned, when a user tries to visit a legitimate website, the corrupted DNS record redirects them to a different IP address controlled by the attacker. As with phishing(new window) attacks, this typically results in passwords and credit card information being stolen and/or malware being uploaded to your company’s computers.
DNS tunneling
Often used as a tool of corporate surveillance for bypassing firewalls and other security measures aimed at preventing the exfiltration (theft) of sensitive data, DNS tunneling encodes the data so it can be transmitted within DNS queries and responses, effectively using the DNS infrastructure as a covert communication channel.
It can also be used by attackers to maintain communication with compromised systems, sending commands and receiving outputs without detection. DNS tunneling exploits the fact that DNS traffic is often less scrutinized by security devices compared to other types of traffic, making it an effective method of bypassing firewalls and filters.
DNS security solutions
Most ISPs implement no DNS security measures whatsoever (and generally have no interest in protecting your business’s privacy). However, third-party DNS providers such as Cloudflare 1.1.1.1, Quad9, and OpenNIC have a much stronger privacy and security focus. This includes using technologies that make DNS much more secure.
Private DNS
Private DNS (also known as encrypted DNS) use the DNS-over-TLS (DoT), DNS-over-HTTPS (DoH), or DNSCrypt security protocols to encrypt DNS queries between the device making the query and the DNS server.
This ensures your ISP (or anyone else monitoring your company’s internet connection) can’t see your DNS queries.
Learn more about private DNS(new window)
Private DNS is clearly a huge improvement over sending DNS queries in plaintext, although it’s not as private as using a VPN service, which encrypts not just your DNS requests, but all your company’s sensitive data, thus completely preventing your ISP from seeing what your business does online. It also hides your real IP address from websites your staff members visit.
DNSSEC
Domain Name System Security Extensions (DNSSEC) is a suite of specifications designed to add an extra layer of security to DNS.
DNSSEC:
- Ensures the responses to DNS queries are authentic. It does this by using digital signatures to sign DNS data, which are then validated by the client. This helps to verify that the data has not been tampered with and that it indeed comes from the legitimate source.
- Guarantees the data has not been altered in transit. It does this by digitally signing the DNS data, which protects against man-in-the-middle attacks and prevents anyone modifying the data.
How Proton VPN can protect your business’s DNS
In addition to providing gateway IP addresses to secure your company’s resources, Proton VPN for Business provides robust DNS security:
- All DNS requests are sent through the encrypted VPN tunnel to be resolved by our own secure DNS servers (so there’s no need for private DNS solutions)
- We never log your DNS queries (or anything else, for that matter)
- Our NetShield Ad-blocker feature is a DNS-filter that blocks DNS queries to malicious domains known for ads, trackers, and (optionally, for greater control) malware
- Your DNS servers use DNSSEC to authenticate DNS data (except for domains blocked by NetShield, which we don’t resolve anyway)
Final thoughts: The importance of DNS protection for businesses
DNS security is often overlooked, but should be an important consideration for any business assessing its security posture. Indeed, attacks such as DNS tunneling exist precisely because often not enough care is taken to secure businesses’ DNS queries.
With Propton VPN for Business, you can be sure that all DNS queries are encrypted, no DNS logs are kept, and DNS resolutions are authenticated using DNSSEC.